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DETAILED ACTION 
Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including tine fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
4/07/2009 has been entered. 

Response to Arguments 

Applicant has amended claim 10 to read "The system of claim 1 , further comprising a 
user information cache that caches a copy of said user authentication information ]n 
case of a failure in a communication link between the firs type server and the second 
tvpe of server." 

Because the limitation does not actually perform any steps but addresses the 
intended use of caching the information, the new limitation will not be given patentable 
weight and will be treated as intended use. 

Applicant's arguments with respect to the remaining claims have been 
considered but are moot in view of the new ground(s) of rejection. 
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Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

Claims 5, 10 recite the limitation "said plurality of first type servers" and "said 
user authentication information." There is insufficient antecedent basis for this limitation 
in the claim. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

This application currently names joint inventors. In considering patentability of 
the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 
the various claims was commonly owned at the time any inventions covered therein 
were made absent any evidence to the contrary. Applicant Is advised of the obligation 
under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 
not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) 
prior art under 35 U.S.C. 103(a). 
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Claims 1, 3-5, 7-14, 16-18, 20-25, 51-55 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Fisher (20030033535) in view of Fichtner (20030005297). 



Regarding Claims 1, 13-14 

Fisher teaches a system for single security administration comprising: 

A first type server wherein the first type server includes an authentication server 

("Fig. 2 shows a block diagram illustrating the architecture 200 of an exemplary common 
authentication protocol or proxy (CAP) server 40 according to one embodiment of the 
invention" Paragraph [0019]). The Examiner interprets the CAP server as the first 
authentication server. The Examiner interprets the "first type server" as the CAP server in 
conjunction with the plurality of Applications that may call it 

a plurality of second type servers, wherein each second type server includes an 
embedded server;; ("The architecture of the Cap server includes... an authentication 
interface which communicates with directory service backends including... LDAP" Paragraph 
[0019]) The Examiner interprets the authentication backend the second server. 

and each second type server is associated with a security data repository that 
provides to the second type server user security information associated with both the 
first type server and the second type server ("the CAP server will perform authentication by 
accessing the database of the appropriate authentication backend for the given application... it 
obtains the user or user group information it requires to perform authentication function from an 
external user or user group database contained in an authentication backend" Paragraph 
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[0023]) The Examiner interprets ttie data repository as the database. The Examiner interprets 
the user security information as the authentication or credential information. 

a default security plugin at said first server that receives authentication requests 
from clients and forwards them to said first authentication server; ("A user 30 wishes to 
begin an application 20 on the data processing systenri...The application 20 will send a request 
for authentication credentials 300 to the CAP server 40 (step 420) Paragraph [0021]) The 
Examiner interprets the application as the default security plugin that receives authentication 
requests from clients and forwards them to an authentication server. ("Secure Channel from the 
Client... Security is provided by encapsulation at the transport layer so that alternate security 
methods may be used or "plugged in." Paragraph [0123]) ("The invention addresses the need 
to reduce user logon complexity at the desktop while offering the open architecture to integrate 
easily into current enterprise environments... CAP... allows applications to access existing 
directory service authentication backends" Paragraphs [0006-0007]) 

wherein, in response to receiving a request for authentication from a client, the 
authentication server at the first type server determines which second type server 
stores security information for the particular user; the system initiates a session 
between said first server and said second server, passes query information from said 
LDAP authentication server to said embedded LDAP server, receives corresponding 
user information, ("The CAP server will perform authentication by accessing the database of 
the appropriate authentication backend 110 for the given application." Paragraph [0023]) 

and creates a token that reflects an authentication result that can be used by said 
client. ("If the credentials are authentic, then the CAP server will return an authentication token 
to the application." Paragraph [0024]) 
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The Applicant's amendnnent of a "plurality of first type servers." As the purpose of 
Fisher is to connect a plurality of different application servers to a single authentication 
backend, Fisher anticipates "a plurality of first type servers. (See abstract or Figure 1)" 

Fisher teaches wherein the first type server in combination with the CAP 
(Common Authentication Proxy) server connects with a LDAP authentication backend. 
(See Figure 1, CAP, LDAP, also "The invention supports many different backent authentication 
directory services including... LDAP (Paragraph [0008])") Therefore the CAP server (first 
type) acts as an LDAP authentication server. 

Fisher does not explicitly teach wherein the first type server holds only access 
control list and relies on one of the plurality of second type servers to provide user and 
group information 

Fichtner (2003/0005297) teaches wherein a first type server holds the access control list 
(ACL)and relies on one of the plurality of second type servers to provide user and group 

information ("Then based on each .. .backend server's sign-on credentials for each user or 
group, the administrator may... map application user identity to the backend HTTP server 
identity" Paragraph [0054])("The authentication server of the application then checks the 
requested Web Resource's ACL policy against the internal credential of the user to verify if 
access is allowed for the user" Paragraph [0056]) Therefore Fichtner teaches the 
authentication server holding the access control list and relying on the backend servers 
to provide group and user information. 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the system of Fisher to include keeping the ACL at the first server 
and the group and user information at the second server. 

The claim would have been obvious because a particular known technique 
(keeping the ACL in one server and user and group information in a second server) 
was recognized as part of the ordinary capabilities of one skilled in the art. 



Regarding Claims 3-5, 16-18 

Fisher and Fichtner teach the system of claim 1 . Fisher teaches wherein the first 
server is an enterprise server (See Figure 1 , Application 20 and CAP 40.) Fisher 
teaches wherein said second server is an application server ("This architecture supports 
and takes advantage of existing enterprise user/group authentication backends 1 10" 
Paragraph [0126] of Fisher). 

As the first server serves the needs of an enterprise it is considered an enterprise 
server. 



Regarding Claim 7, 20 
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Fisher and Ficlitner teacli tine system of claim 1 wlierein said query information is 
query user information tliat specifies a particular user or group of users. ("In general, the 

CAP server... obtains the user or user group information it requires to perform its authentication 
function from an external user or user group database contained in the authentication backend" 
Paragraph [0023])(LDAP User Filter, LDAP Group Filter, Paragraph [0095-6] of Fisher) 

Regarding Claim 8, 21 

Fisher and Fichtner teach the system of claim 1 wherein the system includes a plurality 
of servers 

("The invention seeks to provide a method and system for user authentication in a data 
processing system wherein users only have to logon once, while being able to access multiple 
applications and servers" Paragraph [0006] Fisher) 

Regarding Claim 9, 22 

Fisher and Fichtner teach the system of claim 8 wherein at least one of said 
plurality of servers include an LDAP authentication server. ("LDAP Server Host" 

Paragraph [00941]) 

Fisher does not explicitly teach where at least two servers include an LDAP 
authentication server. 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to include two LDAP authentication servers. 

The motivation is that Fisher already teaches using multiple servers, including 
one LDAP server. The mere duplication of parts does not produce any unexpected 
results. One of ordinary skill in the art would have been able to add another LDAP 
server without altering the functionality of the system. 

Regarding Claim 10, 23, 

Fisher and Fichtner teach the system of claim 1 , further comprising a user 
information cache that caches a copy of said user information, ("the authentication tol<en 
is generally stored in cache memory within the data processing system and is passed to each 
application that the user needs to access without the need to request new credentials each 
time" Paragraph [0030]) The Examiner interprets the authentication token as comprising use 
credentials. 

Regarding Claim 11, 24 

Fisher and Fichtner teach the system of claim 1 . The Examiner asserts that any 
system which has multiple servers and is compatible with LDAP (including the system 
of Fisher) is scalable to include multiple LDAP authentication servers and/or multiple 
embedded LDAP servers. 
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Regarding Claim 12, 25, 

Fisher and Fichtner teach the system of claim 1 wherein at least one of said servers 
include a console program for administering the security of the system. ("The CAP 
server includes an administration system that provides a system administrator with the ability to 
change or configure the CAP server's properties. Configuration may be HTML based. The 
HTML page may be generated by a servlet. The administration screens may be accessible 
from a browser, and editor, or an enterprise information portal. " Paragraph [0084]) The 
Examiner asserts that an administration system as described inherently requires a computer 
program. 

Regarding Claim 51, 

Fisher and Fichtner teach the system of claim 1 , wherein: the user and group 
information is eliminated from the first type server. (Figure 11, and associated text of 

Fichtner) 

Regarding Claim 52, 

Fisher and Fichtner teach the system of claim 1 wherein: 

The session is a LDAP session that supports a single user security data store 
and administration (Figure 1, "LDAP") 
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Regarding Claim 54, 

Fisher and Fichtner teach of claim 1 , wherein: 

The first type server also supports a separate independent authentication 
mechanism with a separate security repository (Figure 2 shows multiple separate 
authentication mechanisms) 

Regarding Claim 55, 

Fisher and Fichtner teach of claim 53, further comprising: 

A migrating utility that takes user security information from the separate security 
repository associated with the first type server and updates the security data repository 
associated with at least one of the plurality of second type servers. (Paragraph [0041] 
see the "import" operation) 

Regarding Claim 53, 

Fisher and Fichtner teach the system of claim 1 wherein: 

Fisher and Fichtner do not explicitly teach each of the plurality of second type of 
servers supports backup or failover authentication 
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The Examiner takes Official Notice tliat bacl^up or failover autlientication is well 
l^nown. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to have the servers support backup or failover authentication. 
The motivation is to provide support in case communication fails. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to HARRIS C. WANG whose telephone number is 
(571 )270-1462. The examiner can normally be reached on M-F 9-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, EDAN ORGAD can be reached on (571 ) 272-7884. The fax phone number 
for the organization where this application or proceeding Is assigned Is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status Information for unpublished applications is available through Private PAIR only. 
For more Information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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/Christian LaForgia/ 

Primary Examiner, Art Unit 2439 

/Harris C Wang/ 
Examiner, Art Unit 2439 



